Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for

Eliot Lear <lear@cisco.com> Mon, 06 November 2017 04:57 UTC

Return-Path: <lear@cisco.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB49313FAFE for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 20:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaEmIK7zK8xa for <doh@ietfa.amsl.com>; Sun, 5 Nov 2017 20:57:46 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C30613FAFB for <doh@ietf.org>; Sun, 5 Nov 2017 20:57:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2684; q=dns/txt; s=iport; t=1509944266; x=1511153866; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=ugJZU+xUcfrPeWcaMy0eUiCP8VG3FUjWzvk9rko9SNs=; b=lMmcUchZ1dmkjLfkYd12vlIH74CxX70FaC2Wzq0p4J34391KzEcoEeEx shYMFvd/pLESn6OtmpXxx6e8YRxpJMvO7567LDSUjcHOWHwoN8sOnTNrK CZpgsFIBbWQL050utac9QDPuhsQ8GoZbsKrfNkyLSWeDou6bUh76x5xDe 4=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CiAQDa6v9Z/xbLJq1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBhQaEJIsTj3smmFcHA4U7AoUZFQEBAQEBAQEBAWsohR8BBAEjVgU?= =?us-ascii?q?LC0ICAlcGAQwIAQGKFwiqIYIniwYBAQEBAQEBAQEBAQEBAQEBAQERD4MuhWwLg?= =?us-ascii?q?naEe4MrgmIFog6EQoIjjhcCi3aHPJYWgTk1IoFsNCEIHRWDLoMQgU9AjRgBAQE?=
X-IronPort-AV: E=Sophos;i="5.44,351,1505779200"; d="asc'?scan'208";a="42004"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2017 04:57:44 +0000
Received: from [10.61.224.245] ([10.61.224.245]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id vA64vhqC027195; Mon, 6 Nov 2017 04:57:43 GMT
To: Paul Hoffman <paul.hoffman@icann.org>, "doh@ietf.org" <doh@ietf.org>
Cc: Mark Nottingham <mnot@mnot.net>
References: <16B93F04-FE24-4C61-94F3-87EF7707F10E@vpnc.org> <E304CB00-95E6-4868-B3C4-FDF4049F6492@mnot.net> <1819FF02-9147-48A8-867E-82BA58AC332A@icann.org>
From: Eliot Lear <lear@cisco.com>
Message-ID: <06878054-f48c-0877-d556-a108a6241d01@cisco.com>
Date: Mon, 6 Nov 2017 05:57:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <1819FF02-9147-48A8-867E-82BA58AC332A@icann.org>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2T134KpqloUdSKwiMm8lNsVRUSiUnJGL3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/28fE9gd00xlootfeggLWVfNATW0>
Subject: Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 04:57:48 -0000

Hi Paul,

> In fact, I don't understand Eliot's concern here. DNS recursive resolvers (which is what a DOH server would be fronting for) are not "responsible for domains". Authoritative servers are responsible for domains.
>
> Eliot: can you say more about your concern here?

Sure.  DNS-based load balancing mechanisms assume that the source of a
query is going to be proximate to the originator.  Use of DoH may upset
that assumption.  In the extreme case, imagine having just one DoH
caching resolver out there, and all queries flowing to it, from anywhere
in the world.  Especially if it is caching, any number of queries would
end up returning addresses that are local to that one DoH server and not
to the originator.

I mentioned authority here only in as much as I don't care what a DoH
server does for services that are related to it, but if they are not,
and if it really is just acting as a caching resolver, then this issue
comes into play.

Eliot